OpenLDAP, SSL, and PHP
It never ceases to amaze me how many outside dependencies there are for PHP. When trying to get a PHP application to connect to an LDAP server over SSL, you have to have the following:
- OpenLDAP (at least branch 2.x.x)
- OpenSSL
- Reminder: Compile OpenLDAP with SSL support! Just in case you didn't do that already.
Yes, but once you have all that done, then you need to hope and pray that it will connect successfully. On a Linux server, this is definitely a possibility (but a treacherous task at that). On a Windows machine: forget it. You might as well count your losses and start coding your application in .Net before you try connecting to an LDAP server via SSL with a Windows box (that or you need to be really good at compiling opensource software on Windows machines).
The Error
So, here’s the error message I’m getting in my PHP app:
Pretty generic error message right? It can be anything. I’m guessing, though, that it’s something with OpenLDAP. That’s why it comes with the wonderful tool ldapsearch
. This should help me figure out if it’s an application problem or a OpenLDAP problem.
Once again, a pretty generic error message. If you try to Google that error message, you’re not gonna get anywhere. This is where OpenLDAP’s debugging switch turns out to be quite handy. My favorite: -d 7
. Watch it in action:
Lo-and-behold the answer becomes evident:
I change the /etc/openldap/ldap.conf file line ‘TLS_CACERTDIR /etc/apache2/ssl.crt’ from what it is to ‘TLS_CACERTDIR /etc/ssl/certs’. I re-run the above command and it prompts me for a password. This is definitely a good sign. Running it again in my PHP code? Of course not.
Step 2: Google Some More
After more wonderful Googling for the most generic PHP error possible, I find that the problem may potentially be the certificate (view the thread). So, I decide to try to figure out how to actually view the certificate that’s on the server (in case it is self-signed or not trusted, somehow). This takes me the better part of half an hour, but I finally figure out the openssl command necessary to view the public key / certificate of a service:
This gave me the public key necessary to save and then place in at /etc/ssl/certs/host.example.com.pem. After doing so, I ran c_rehash
and then modified my /etc/openldap/ldap.conf file. I added the following lines to the config:
After restarting Apache and testing the PHP file, things seem to be going a little smoother. No more connect errors. I will update if something goes awry, though.